• Posted by: Eng. Donya Bino
• December 12, 2025

React Team Fixes New RSC Flaws Exposing Apps to DoS and Code Leaks

The React team has shipped another round of security fixes, this time addressing two new weaknesses in React Server Components (RSC) that could allow denial-of-service attacks or even leak server-side source code under the right conditions.

These findings didn’t come out of nowhere. According to the React team, security researchers discovered them while poking at the earlier CVE-2025-55182 patch, a critical RSC vulnerability that quickly made its way into real-world attacks. As often happens, once one door is closed, researchers start checking the windows.

Here’s what was found:
The New Vulnerabilities
1. CVE-2025-55184 (CVSS 7.5) – A pre-auth DoS issue caused by unsafe deserialization in Server Function endpoints. A malicious request can trigger an infinite loop that effectively freezes the server.
2. CVE-2025-67779 (CVSS 7.5) – An incomplete fix for the first DoS issue. Same impact, same cause, just another path to trigger it.
3. CVE-2025-55183 (CVSS 5.3) – A code-leak flaw. With the right, carefully crafted HTTP request, an attacker could retrieve the source code of any Server Function but only if that function exposes an argument that gets converted into a string.

Affected Versions
These vulnerabilities impact the following packages and versions of react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack:
1. CVE-2025-55184 & CVE-2025-55183:
   19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
2. CVE-2025-67779:
   19.0.2, 19.1.3, 19.2.2
The fixes are available in 19.0.3, 19.1.4, and 19.2.3.

Who Found the Issues?
The React team credited:
1. RyotaK and Shinsaku Nomura for the two DoS discoveries
2. Andrew MacPherson for identifying the code-exposure bug
All were reported through Meta’s bug bounty program.

Why These Follow-Up Bugs Happen
React’s announcement made a point that any engineering team can relate to:
Once a big vulnerability drops, researchers swarm the surrounding code paths, hunting for bypasses and variants. It’s not a failure, it’s part of a healthy security cycle.
And with CVE-2025-55182 already being actively tested and exploited, the timing of these fixes couldn’t be more important.

What Developers Should Do
If your project uses React Server Components, update immediately.
The patches are already live, and delaying only widens the attack window.

Source: The hacker News